To date, the zero-trust model has largely been thought of, and implemented as, a technology strategy — one that helps organizations strengthen their cybersecurity posture. This is understandable, as the concept of zero trust is centered around one key theme: never trust, always verify, which provides perimeters around data, applications and networks while allowing those perimeters to be dynamic and fluid based on risk with an identity- and data-centric approach. However, when one considers the risks of intellectual property loss, reputation damage, theft, etc., that exist outside of the digital realm, zero trust is also a sound approach to protecting the integrity of the entire business.
The reason for this is that physical intruders, insiders, and third parties can lead to many of the same problems that you're trying to prevent in the cyber world: stolen documents, leaked sensitive data, etc. These same threat actors can also use physical tactics to compromise electronic assets — for example, walking around the office looking for Post-it notes with passwords. Consider these other examples:
- A physical intruder gains unauthorized access to your building by posing as a delivery driver. (Let's face it — none of us bats an eye when a delivery person or a plant-waterer is walking around the office.)
- A potential "acquirer" holds a meeting with the executive team to see product plans, only to go off and use these plans to build the product themselves.
- Someone breaks into your office after hours to steal important company files.
- An executive casually mentions a confidential acquisition to co-workers in the lunchroom without validating that those employees can be trusted with the information.
- An employee sends a recorded Zoom call to someone outside of the organization for nefarious purposes.
And the list goes on. Put on your "black hat" for a moment and think about all the ways you might unintentionally compromise information in your office — it wouldn't be that hard, right?
This presents an opportunity for CISOs. Those who are committed to adopting zero trust this year have the opportunity to make a larger business case for it across the organization — working with the chief risk officer, chief executive officer (CEO), and other executive leaders to develop and implement a zero-trust framework across the entire enterprise. This will not only strengthen the company's overall security posture, but it will also help CISOs solidify their position in the upper echelons of the business. Case in point: A recent survey by Forrester found that 82% of the 317 global security decision-makers polled said that "they are committed to migrating to a Zero Trust security architecture, and their interest in Zero Trust has elevated the role of CISO to board-level visibility at 49% of organizations."
Zero Trust in the World of Physical Security
For most companies, applying a zero-trust model across physical security strategies is still uncharted territory and knowing where to start is half of the battle. Of course, there are the age-old, general physical security best practices, such as required badge entry, ensuring employees lock their computers anytime they leave their desk, and making sure employees document passwords in their head rather than on Post-it notes.
But the most effective way to ensure the concept of zero trust is to expand employee education beyond the cyber realm, to all areas of the business. And it needs to be all employees (the executive giving away intellectual property to that potential acquirer needs to learn a thing or two about zero trust!). Two fundamental shifts in perspective need to happen to achieve this:
- First, employees need to understand that data breaches, intellectual property leaks, insider financial leaks, and other security incidents don't only result from attacks on corporate networks; they can also result from physical device theft or the activities of the person in the next cube.
- Second, they need to recognize that they're responsible for protecting more than themselves from security threats; they must also do their part to protect their organization. Damaging security breaches hurt every one, and no one is exempt from doing their part.
And organizations will need to implement a zero-trust framework without calling it zero trust (it's definitely a morale killer if you tell all your employees you don't trust them). Internal communications teams should come up with creative campaigns, so employees rally behind and adopt zero-trust concepts (talking about "protecting each other," for example, is a nice way to flip things around).
When employees shift their thinking in this way, companies can be successful with enterprise-wide adoption of a zero-trust framework to uphold physical security. Instead of ignoring that delivery guy, they'll have the knowledge and background to question it, "Hmmm … why is he walking around the office?" and alert the front desk or security.
Most CISOs are also more experienced at encouraging safe employee behavior than other executives, which puts them in a strong position to drive employee education initiatives around a zero trust-driven workplace. So, as more of you CISOs embrace zero trust this year, take a step back and think about how your initiative could be much larger and have a more profound impact not only on your organization's overall security posture, but also on your personal posture within the executive suite.